Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hussnainalijaved
New Contributor

How to block Soft Ether VPN client

Hi,

 

I am using FortiGate 90D firewall with Current Running Firmware: FGT90D-5.00-build271. I am using a policy #1 where all internal office traffic is passing to WAN1(INTERNET), I have activated web filter profile (which is working fine) and application control on policy #1. In application control i have blocked the Soft Ether VPN application but its not working.

 

many people in my office are using the same software to connect the blocked sites. need help.

 

Regards

Hussnain Ali Javed

14 REPLIES 14
waleedMagdy
New Contributor

Sometimes APP control did not block proxy programs like VPN tunnel

i tried to block it using APP control but it still working

hussnainalijaved
New Contributor

Any one in support team of fortinet please check and reply

Irfan_Pathan
New Contributor III

Create New policy and block tunnelling services. see attached sreenshot.
emnoc
Esteemed Contributor III

FWIW: That  fwpolicy will only work if the  protocols are matched and you can change the port and services used by the client. I'm curious have anybody blocked this via any new fortiOS release and how will does application identification for this service compare to PaloAlto AppID?

 

 

 

PCNSE 

NSE 

StrongSwan  

hussnainalijaved
New Contributor

Dear Irfan,

 

i have tried what you recommended but its still not working. any other solution ?

Irfan_Pathan
New Contributor III

Hi,

 

SoftEther VPN uses HTTPS protocol in order to establish a VPN tunnel. HTTPS (HTTP over SSL) protocol uses the 443 of TCP/IP port as destination. This port is well-know and almost all firewalls, proxy servers and NATs can pass the packet which are consisted in HTTPS protocol. 

 

1. Go to Policies & objects > SSL/SSH Inpection > select your profile > Enable full ssl inspection.  This ssl profile uses deep inspection. End users will likely see certificate warnings unless the certificate is installed in their browser.

2. In your Application sensor add signature "SoftEther" and set action to "reset". 

 

-Irfan Pathan

nbctcp
New Contributor III

@Pathan

Have you try yourself blocking SoftEther vpngate.

I already tried many ways but still can go through

Here my settings

1. Application Control/P2P Block or Reset

NOTE: P2P include SoftEther

2. Policy & Objects/Policy/IPv4/P2P

SSL/SSH Inspection: deep inspection ON

3. I also try block Service/Tunneling in your other post.

But still not success

 

FortiNet, I still can bypass your firewall either using SoftEther or Open Proxy.

For Open Proxy, I'll post in other thread

Please do something.

PaloAlto can block successfully SoftEther

I'll also try Cyberoam today

 

[link]https://nbctcp.wordpress.com/[/link]

buntha
New Contributor

Hi!!

You should following this instruction:

You can try the following custom application control signatures. 

UDP Connections:

F-SBID( --protocol udp; --flow from_client; --src_port 10000:; --dst_port 1024:; --seq 1,relative; --pattern !"|00 00|"; --within 16,packet; --data_size >16; --data_size <40; --tag set,softEther.UDP.tag; --app_cat 6; )
# please set this signature to 'Monitor'

F-SBID( --protocol udp; --flow from_server; --src_port 1024:; --seq 1,relative; --pattern !"|00 00|"; --within 16,packet; --data_size >90; --data_size <350; --tag test,softEther.UDP.tag; --app_cat 6; )
# please set this signature to 'Reset'

TCP Connections (Please set the following custom signatures to block or reset):

F-SBID( --protocol tcp; --service SSL; --flow from_server; --pattern ".opengw.net"; --context host; --no_case; --app_cat 6; )

F-SBID( --protocol tcp; --seq =,1,relative; --service SSL; --flow from_client; --pattern "|16 03 01|"; --within 3,packet; --pattern "|01|"; --context packet; --distance 5,context; --within 1,context; --pattern "|00 00 6E|"; --context packet; --distance 37; --within 3; --pattern "|01 00|"; --context packet; --distance 110; --within 2; --pattern "|00 0f 00 01 01|"; --context packet; --distance 5,context,reverse; --within 5,context; --pcre "/[0-9]{1,3}\x2e[0-9]{1,3}\x2e[0-9]{1,3}\x2e[0-9]{1,3}/"; --context host; --app_cat 6; )

F-SBID( --protocol tcp; --seq =,1,relative; --service SSL; --flow from_client; --pattern "|16 03 01|"; --within 3,packet; --pattern "|01|"; --context packet; --distance 5,context; --within 1,context; --pattern "|00 2a 00 39 00 38 00 35 00 16 00 13 00 0a 00 33 00 32 00 2f 00 07 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ff|"; --context packet; --distance 0; --pattern "|00 00|"; --context packet; --distance 0; --pattern "|00 00|"; --context packet; --distance 4; --pcre "/[0-9]{1,3}\x2e[0-9]{1,3}\x2e[0-9]{1,3}\x2e[0-9]{1,3}/"; --context packet; --distance 15,context,reverse; --app_cat 6; )

There is a bug with UDP signatures having detection loss in certain unique cases like VPNGate. It is currently being analyzed and fixed by the engine team. We will update you when a patch is available. An alternative would be to try the custom signatures for UDP connections. There could be some false positive risks though.


nbctcp
New Contributor III

I am new to this custom Application Signature.

 

STEPS:

I click Security Profiles/Application Control/View Application Signatures

click Create New

 

QUESTIONS:

1. what shoud I type there, because I believe maximum characters is 255

2. should create 2 Application Sensor, because in your steps, there are Signature for Monitor and Block

 

thanks